Cryptology ePrint Archive: Report 2015/634

Phasing: Private Set Intersection using Permutation-based Hashing

Benny Pinkas and Thomas Schneider and Gil Segev and Michael Zohner

Abstract: Private Set Intersection (PSI) allows two parties to compute the intersection of private sets while revealing nothing more than the intersection itself. PSI needs to be applied to large data sets in scenarios such as measurement of ad conversion rates, data sharing, or contact discovery. Existing PSI protocols do not scale up well, and therefore some applications use insecure solutions instead. We describe a new approach for designing PSI protocols based on permutation-based hashing, which enables to reduce the length of items mapped to bins while ensuring that no collisions occur. We denote this approach as Phasing, for Permutation-based Hashing Set Intersection. Phasing can dramatically improve the performance of PSI protocols whose overhead depends on the length of the representations of input items. We apply Phasing to design a new approach for circuit-based PSI protocols. The resulting protocol is up to 5 times faster than the previously best Sort-Compare-Shuffle circuit of Huang et al. (NDSS 2012). We also apply Phasing to the OT-based PSI protocol of Pinkas et al. (USENIX Security 2014), which is the fastest PSI protocol to date. Together with additional improvements that reduce the computation complexity by a logarithmic factor, the resulting protocol improves run-time by a factor of up to 20 and can also have similar communication overhead as the previously best PSI protocol in that respect. The new protocol is only moderately less efficient than an insecure PSI protocol that is currently used by real-world applications, and is therefore the first secure PSI protocol that is scalable to the demands and the constraints of current real-world settings.

Category / Keywords: applications /

Original Publication (with major differences): USENIX Security Symposium 2015

Date: received 26 Jun 2015, last revised 27 Jul 2016

Contact author: michael zohner at ec-spride de

Available format(s): PDF | BibTeX Citation

Note: Added a note on how to achieve correctness when using multiple mapping functions, as was pointed out in

Version: 20160727:085105 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]